Authorization scriptlet — how to allow a restricted certificate to access a single storage pool

Hello everyone,

I’ve been having a lot of trouble with configuring a restricted certificate in such a way that is has full access to a single storage pool.

I’ve been documenting these steps as I go, and then uploading them to my blog:

https://moonpiedumplings.github.io/projects/build-server-6/#authorization

This has everything I’ve tried and why it ended up not working.

I’m currently at this:

ef authorize(details, object, entitlement):
  if details.Username == "96bd207fe6a1b5ca48284f012e036fff43126870c52949479fe5647c61791db2":
    return True
  if details.Username == "025a3516ca2c622a93446548954e33d75eafa3e8173d0d6a435fc27d4072932e":
    if object.startswith("storage_pool:"):
      if object != "storage_pool:layer8":
        return False
      return True
    if details.IsAllProjectsRequest == True:
      return False
    if object == "project:layer8":
      if entitlement == "can_view":
        return True 
    if details.ProjectName == "layer8":
      return True
    if details.ProjectName == "default":
      if entitlement == "can_view_resources":
        return True
    if object == "server:incus":
      if entitlement == "can_view":
        return True
      if entitlement == "can_view_resources":
        return True
  else:
    return False

But this doesn’t restrict the certificate I want to be restricted, the latter one, from uploading isos to the default storage pool.

Also1: Is this some kind of XY problem? Do I even need to separate storage pools, if isolating volumes prevents users with access to the same storage pool from messing with eachother?

(Although in the future I may want separate storage pools)

Also1: Is this an XY problem of some kind? Is there anything nefarious that can be deployed to

Also2: once I’m done, and figured this out, I would like to turn my notes into documentation for the authorization scriptlet, since it seems to be a useful feature, but the documentation is lacking.

If you have pools foo, bar and baz and only want to see foo, you would do:

incus project create my-new-project
incus project set my-new-project limits.disk.pool.bar=0 limits.disk.pool.baz=0
incus config trust add-certificate my-certificate.crt --restricted --projects my-new-project

And now my-certificate.crt can only see themy-new-project project and that project can only use pool foo.

In general most of Incus’ isolation is done at the project level.
The authorization logic can be a bit more fine grained that that, but it gets pretty tricky pretty quickly as not everything is user driven and so not everything goes through the same authorization paths.

Is there a way to restrict access to storage pools that is deny by default, rather than explicitly denying access to certain storage pools?